diff --git a/defaults/main.yml b/defaults/main.yml
index 71d6d626..583c1471 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -28,7 +28,7 @@ cache_timeout: 600
 
 # Set the package install state for distribution packages
 # Options are 'present' and 'latest'
-security_package_state: "latest"
+security_package_state: present
 
 ###############################################################################
 #   ____  _   _ _____ _        __     ____ _____ ___ ____
diff --git a/releasenotes/notes/package-state-present-951161faa5384abd.yaml b/releasenotes/notes/package-state-present-951161faa5384abd.yaml
new file mode 100644
index 00000000..70c6eaed
--- /dev/null
+++ b/releasenotes/notes/package-state-present-951161faa5384abd.yaml
@@ -0,0 +1,7 @@
+---
+upgrade:
+  - The security role will accept the currently installed version of a package
+    rather than attempting to update it. This reduces unexpected changes on
+    the system from subsequent runs of the security role. Deployers can still
+    set ``security_package_state`` to ``latest`` to ensure that all packages
+    installed by the security role are up to date.